diff --git a/docs/docs/configuration/alpha_config.md b/docs/docs/configuration/alpha_config.md index 6fb53fe9..c9b6ae94 100644 --- a/docs/docs/configuration/alpha_config.md +++ b/docs/docs/configuration/alpha_config.md @@ -606,7 +606,7 @@ RedisStoreOptions contains configuration options for the RedisSessionStore. (**Appears on:** [Cookie](#cookie)) SameSiteMode is an enum representing the different SameSite modes for cookies -Available modes are "lax", "strict", "none", and "" (default browser behavior) +Available modes are "Lax", "Strict", "None", and "" (default browser behavior) ### ScriptAccess #### (`string` alias) @@ -614,7 +614,7 @@ Available modes are "lax", "strict", "none", and "" (default browser behavior) (**Appears on:** [Cookie](#cookie)) ScriptAccess is an enum representing whether a cookie is accessible to JavaScript -Available modes are "allow", "deny" (default behavior) +Available modes are "Allow", "Deny" (default behavior) ### SecretSource diff --git a/pkg/apis/options/cookie.go b/pkg/apis/options/cookie.go index 60b2706e..d4a4fb99 100644 --- a/pkg/apis/options/cookie.go +++ b/pkg/apis/options/cookie.go @@ -16,23 +16,23 @@ const ( ) // SameSiteMode is an enum representing the different SameSite modes for cookies -// Available modes are "lax", "strict", "none", and "" (default browser behavior) +// Available modes are "Lax", "Strict", "None", and "" (default browser behavior) type SameSiteMode string const ( - SameSiteLax SameSiteMode = "lax" - SameSiteStrict SameSiteMode = "strict" - SameSiteNone SameSiteMode = "none" + SameSiteLax SameSiteMode = "Lax" + SameSiteStrict SameSiteMode = "Strict" + SameSiteNone SameSiteMode = "None" SameSiteDefault SameSiteMode = "" ) // ScriptAccess is an enum representing whether a cookie is accessible to JavaScript -// Available modes are "allow", "deny" (default behavior) +// Available modes are "Allow", "Deny" (default behavior) type ScriptAccess string const ( - ScriptAccessDenied ScriptAccess = "deny" - ScriptAccessAllowed ScriptAccess = "allow" + ScriptAccessDenied ScriptAccess = "Deny" + ScriptAccessAllowed ScriptAccess = "Allow" ScriptAccessNone ScriptAccess = "" ) diff --git a/pkg/apis/options/legacy_cookie.go b/pkg/apis/options/legacy_cookie.go index b214ff13..9262ff3a 100644 --- a/pkg/apis/options/legacy_cookie.go +++ b/pkg/apis/options/legacy_cookie.go @@ -63,6 +63,18 @@ func (l *LegacyCookie) convert() Cookie { } } + var sameSite SameSiteMode + switch l.SameSite { + case "lax": + sameSite = SameSiteLax + case "strict": + sameSite = SameSiteStrict + case "none": + sameSite = SameSiteNone + default: + sameSite = SameSiteDefault + } + return Cookie{ Name: l.Name, Secret: secret, @@ -71,7 +83,7 @@ func (l *LegacyCookie) convert() Cookie { Expire: l.Expire, Insecure: &insecure, ScriptAccess: scriptAccess, - SameSite: SameSiteMode(l.SameSite), + SameSite: sameSite, CSRFPerRequest: &l.CSRFPerRequest, CSRFPerRequestLimit: l.CSRFPerRequestLimit, CSRFExpire: l.CSRFExpire, diff --git a/pkg/cookies/cookies.go b/pkg/cookies/cookies.go index a221ac91..fef560de 100644 --- a/pkg/cookies/cookies.go +++ b/pkg/cookies/cookies.go @@ -69,13 +69,13 @@ func GetCookieDomain(req *http.Request, cookieDomains []string) string { // Parse a valid http.SameSite value from a user supplied string for use of making cookies. func ParseSameSite(v options.SameSiteMode) http.SameSite { switch v { - case "lax": + case options.SameSiteLax: return http.SameSiteLaxMode - case "strict": + case options.SameSiteStrict: return http.SameSiteStrictMode - case "none": + case options.SameSiteNone: return http.SameSiteNoneMode - case "": + case options.SameSiteDefault: return 0 default: panic(fmt.Sprintf("Invalid value for SameSite: %s", v)) diff --git a/pkg/validation/cookie.go b/pkg/validation/cookie.go index 31e7b238..c4ab9b9d 100644 --- a/pkg/validation/cookie.go +++ b/pkg/validation/cookie.go @@ -21,9 +21,9 @@ func validateCookie(o options.Cookie, refresh time.Duration) []string { } switch o.SameSite { - case "", "none", "lax", "strict": + case options.SameSiteLax, options.SameSiteStrict, options.SameSiteNone, options.SameSiteDefault: default: - msgs = append(msgs, fmt.Sprintf("cookie_samesite (%q) must be one of ['', 'lax', 'strict', 'none']", o.SameSite)) + msgs = append(msgs, fmt.Sprintf("cookie_samesite (%q) must be one of ['', 'Lax', 'Strict', 'None']", o.SameSite)) } // Sort cookie domains by length, so that we try longer (and more specific) domains first diff --git a/pkg/validation/cookie_test.go b/pkg/validation/cookie_test.go index 30002126..b2e3219a 100644 --- a/pkg/validation/cookie_test.go +++ b/pkg/validation/cookie_test.go @@ -63,7 +63,7 @@ func TestValidateCookie(t *testing.T) { invalidSecretMsg := "cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 6 bytes" invalidBase64SecretMsg := "cookie_secret must be 16, 24, or 32 bytes to create an AES cipher, but is 10 bytes" refreshLongerThanExpireMsg := "cookie_refresh (\"1h0m0s\") must be less than cookie_expire (\"15m0s\")" - invalidSameSiteMsg := "cookie_samesite (\"invalid\") must be one of ['', 'lax', 'strict', 'none']" + invalidSameSiteMsg := "cookie_samesite (\"invalid\") must be one of ['', 'Lax', 'Strict', 'None']" testCases := []struct { name string @@ -216,7 +216,7 @@ func TestValidateCookie(t *testing.T) { Expire: time.Hour, Insecure: ptr.To(false), ScriptAccess: options.ScriptAccessAllowed, - SameSite: "none", + SameSite: options.SameSiteNone, }, refresh: 15 * time.Minute, errStrings: []string{}, @@ -231,7 +231,7 @@ func TestValidateCookie(t *testing.T) { Expire: time.Hour, Insecure: ptr.To(false), ScriptAccess: options.ScriptAccessAllowed, - SameSite: "none", + SameSite: options.SameSiteLax, }, refresh: 15 * time.Minute, errStrings: []string{}, @@ -246,7 +246,7 @@ func TestValidateCookie(t *testing.T) { Expire: time.Hour, Insecure: ptr.To(false), ScriptAccess: options.ScriptAccessAllowed, - SameSite: "none", + SameSite: options.SameSiteStrict, }, refresh: 15 * time.Minute, errStrings: []string{},